The pytnsproxy tool

Description

This is the proof of concept code for a presentation that I gave at Hacktivity 2009. It implements the following attacks:

It is able to hijack an Oracle connection (the supported platforms are limited) with a MITM attack.
It is able to conduct the well known NTLM downgrade and static challenge attack against an Oracle database and client.
It is able to downgrade the JDBC 11g authentication to the older version. Until 11g the JDBC thin driver did not support the newer Oracle native authentication algorithms.
It is able to downgrade the Windows kerberos authentication to NTLM between an Oracle database and client.
It logs the authentication data of the NTLMv1 and of the native Oracle authentication in a form that can be used in john the ripper and in woraauthbf (currently woraauthbf supports the 8i authentication bruteforce only).

License

It is released under GPLv2 and use at your own responsibility.

Download

The current version is 0.1 and it is a PoC code, thus it needs a massive code cleaning, refactoring and bug hunting. This version can be called the “just works” version. The source can be downloaded from here.

Prerequisites It was tested on Windows and Linux with the followings:

Pyhton 2.6 python-configobj-4.6.0 bitstring-0.5.2 OpenSSL to compile the aesdecrypt module boost-1.37.0 to compile the aesdecrypt module, it uses the boost_python library

Install

Linux

On Linux systems just unpack the archive and run “make”. If the necessary libraries are installed it will compile the aesdecrypt.cpp. If the SELinux is enabled you will got an error message when you run pytnsproxy:

Traceback (most recent call last):
  File "pytnsproxy.py", line 11, in <module>
    from aesdecrypt import *
ImportError: /release/pythonproxy/aesdecrypt.so: cannot restore segment prot after reloc: Permission denied

You can use the following command:

chcon -t  textrel_shlib_t aesdecrypt.so

Please read the SELinux documentation for more details.

Windows

I successfully compiled the aesdecrypt.cpp with Visual Studio 2008 express, Boost 1.39 and OpenSSL. You can find an example Jamroot file in the source distribution. You need an user-config.jam file in your home directory:

using msvc : 9.0 ;
using python : 2.6 : C:/Python26 ;

Start the Visual Studio 2008 Command Prompt and set the BOOS_BUILD_PATH environment variable:

set BOOST_BUILD_PATH="c:\Program Files (x86)\boost\boost_1_3 9\tools\build\v2"

Adjust the Jamroot file for your environment. Then start bjam:

bjam release

Copy the aespython.pyd file from bin\msvc-9.0\release\link-static\threading-multi\ folder to the base folder of pytnsproxy.

	If you don't know neither the enemy nor yourself, you will sucumb in every battle. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. But if you know the enemy and know yourself you need not fear the result of a hundred battles. The art of war (Sun Tzu)

Home Presentations Articles	The pytnsproxy tool Description This is the proof of concept code for a presentation that I gave at Hacktivity 2009. It implements the following attacks: It is able to hijack an Oracle connection (the supported platforms are limited) with a MITM attack. It is able to conduct the well known NTLM downgrade and static challenge attack against an Oracle database and client. It is able to downgrade the JDBC 11g authentication to the older version. Until 11g the JDBC thin driver did not support the newer Oracle native authentication algorithms. It is able to downgrade the Windows kerberos authentication to NTLM between an Oracle database and client. It logs the authentication data of the NTLMv1 and of the native Oracle authentication in a form that can be used in john the ripper and in woraauthbf (currently woraauthbf supports the 8i authentication bruteforce only). License It is released under GPLv2 and use at your own responsibility. Download The current version is 0.1 and it is a PoC code, thus it needs a massive code cleaning, refactoring and bug hunting. This version can be called the “just works” version. The source can be downloaded from here. Prerequisites It was tested on Windows and Linux with the followings: Pyhton 2.6 python-configobj-4.6.0 bitstring-0.5.2 OpenSSL to compile the aesdecrypt module boost-1.37.0 to compile the aesdecrypt module, it uses the boost_python library Install Linux On Linux systems just unpack the archive and run “make”. If the necessary libraries are installed it will compile the aesdecrypt.cpp. If the SELinux is enabled you will got an error message when you run pytnsproxy: `Traceback (most recent call last): File "pytnsproxy.py", line 11, in <module> from aesdecrypt import * ImportError: /release/pythonproxy/aesdecrypt.so: cannot restore segment prot after reloc: Permission denied` You can use the following command: `chcon -t textrel_shlib_t aesdecrypt.so` Please read the SELinux documentation for more details. Windows I successfully compiled the aesdecrypt.cpp with Visual Studio 2008 express, Boost 1.39 and OpenSSL. You can find an example Jamroot file in the source distribution. You need an user-config.jam file in your home directory: `using msvc : 9.0 ; using python : 2.6 : C:/Python26 ;` Start the Visual Studio 2008 Command Prompt and set the BOOS_BUILD_PATH environment variable: `set BOOST_BUILD_PATH="c:\Program Files (x86)\boost\boost_1_3 9\tools\build\v2"` Adjust the Jamroot file for your environment. Then start bjam: `bjam release` Copy the aespython.pyd file from bin\msvc-9.0\release\link-static\threading-multi\ folder to the base folder of pytnsproxy.


	Disclaimer The views, opinions and thoughts in this homepage are the views, opinions and thoughts of the writer of this homepage and do not represent the views, opinions or thoughts of any past or current employer of the writer or any other third person. The content is provided 'as is' without warranty of any kind. Use at your own responsibility. Laszlo may be contacted on donctl@gmail.com.